On 1/14/19 9:39 AM, Vladimir Kozlov wrote:
Thank you, Alan
On 1/14/19 2:27 AM, Alan Bateman wrote:
On 13/01/2019 02:46, Vladimir Kozlov wrote:
http://cr.openjdk.java.net/~kvn/8216151/webrev.00/
https://bugs.openjdk.java.net/browse/JDK-8216151
Have to update default.policy after changes in
jdk.internal.vm.compiler.management files done by JDK-8199755:
"Update Graal".
Ran CheckAccessClassInPackagePermissions.java test.
cc'ing security-dev as that is where is the security policy file is
maintained.
One thing is double check is that code in
jdk.internal.vm.compiler.management really needs to access members of
classes in the listed packages. I ask because the module definition
doesn't export some of these packages to
jdk.internal.vm.compiler.management so they aren't accessible even
when not running with a security manager.
I verified that all listed packages are used by compiler.management
and I listed only needed in default.policy. I used
CheckAccessClassInPackagePermissions.java test to find which
permissions are needed.
I reviewed the change and the list matches the list of qualified exports
from jdk.internal.vm.compiler to jdk.internal.vm.compiler.management.
The security team has been looking into removing the private VM call out
to ClassLoader::checkPackageAccess. When that's removed, we would not
need to maintain these accessClassInPackage permission to access any new
qualified exports.
Mandy
